Flaw or Not, Microsoft to Patch Services Problem

While claiming it is a design problem, not a flaw, Microsoft nevertheless is working on patches for services within Windows that run with inappropriately high privileges.

Microsoft Corp. is working on patches for several services within Windows that run with inappropriately high privileges, making the operating system vulnerable to a sophisticated attack that could lead to a complete compromise of the machine.
The fixes in the works are meant to prevent interactive services on the Windows desktop from running with the same privileges as the most highly privileged service. By design, all of the interactive services are on an equal footing and can trade requests with other services on the desktop. This fact means that an attacker who was able to gain control of one of the services could then use it to elevate his privileges and possibly gain control of the system.
Chris Paget, a British security researcher, published a white paper in early August describing the situation, calling it an "unfixable" flaw in the Microsoft Win32 API. Security experts are divided over whether the problem actually constitutes a security vulnerability or is in fact simply a design problem. Although Microsoft and some members of the security and developer community had known about the issue previously, Pagets paper generated quite a lot of interest and concern, prompting the software makers response.

"This really is not a security model flaw because you can clearly implement a program not to be vulnerable to this. Higher privileged programs such as services running as system should not be taking input from lower privileged users without filtering it," said Chris Wysopal, director of research and development at @stake Inc., a security consultancy and research firm in Cambridge, Mass. "Windows messages need to be thought of as untrusted input just like network traffic. I would consider this an application design error. I think that the controversy over this is because people cant agree to whether or not the OS should be protecting applications from malicious inter-process messages. Windows does not document that the system protects from this. It is up to the application developer."

Either way, after a month of consideration, security officials at Microsoft, in Redmond, Wash., believe there is enough of an issue to warrant the production of several patches.
In a report posted on its TechNet Web site this week, Microsoft officials said they "found a small number of cases in which Microsoft-developed interactive services do run with inappropriately high privileges." The company plans to release the patches shortly and is also looking at making some other changes to the Windows code that should make it more difficult to exploit this issue.
Related stories: